Ransomworm: the next level of cybersecurity nastiness

2017 could see further evil innovations of ransomware.

As if holding your data hostage and seeking cash payment weren’t harsh enough, security experts foresee the next stage of ransomware to be even worse.

Scott Millis, CTO at mobile security company Cyber adAPT, expects ransomware to spin out of control in the year ahead. That is an astounding statement when you consider that there were more than 4,000 ransomware attacks daily in 2016, according to Symantec’s Security Response group (Report).

Corey Nachreiner, CTO at WatchGuard Technologies, predicts that 2017 will see the first ever ransomworm, causing ransomware to spread even faster.

Crypto-ransomware is a type of ransomware that encrypts your files and holds them captive until ransom demands are met. Since the release of Cryptolocker in late 2013, Crypto-ransomware has taken off. According to the FBI, cyber criminals used ransomware to steal over $209 million from U.S. businesses alone, just in the first quarter of 2016. Furthermore, a recent ransomware report from Trend Micro shows 172 percent more ransomware in the first half of 2016 than all of 2015.

“In short, bad guys realize ransomware makes money, and you can expect them to double down in 2017,” he says.

To make matters worse, Nachreiner expects cybercriminals will mix ransomware with a network worm. Years ago, network worms like CodeRed, SQL Slammer, and more recently, Conficker were pretty common. Hackers exploited network vulnerabilities and tricks to make malware automatically spread itself over networks.

“Now, imagine ransomware attached to a network worm. After infecting one victim, it would tirelessly copy itself to every computer on your local network it could reach,” he says. “Whether or not you want to imagine such a scenario, I guarantee that cyber criminals are already thinking about it.”

Nir Polak, Co-Founder & CEO of Exabeam, a provider of user and entity behavior analytics, agrees that ransomware will move from a one-time issue to a network infiltration problem like Nachreiner describes. “Ransomware is already big business for hackers, but ransomworms guarantee repeat business. They encrypt your files until you pay, and worse, they leave behind presents to make sure their troublesome ways live on,” says Polak.

Ransomware is already big business for hackers, but ransomworms guarantee repeat business.

Nir Polak, Co-Founder & CEO of Exabeam

Earlier this year, Microsoft warned of a ransomworm called ZCryptor that propagated onto removable drives. By placing a code on every USB drive, employees bring more than just their presentations to a sales meeting; they’re carrying a ransomworm — not the greatest impression you want to give a prospect.

Alex Vaystikh, cybersecurity veteran and co-founder/CTO of advanced threat detection software provider SecBI, thinks along those same lines. He says ransomware will become smarter and merge with information-stealing malware, which will first steal information and then selectively encrypt, either on-demand or when other goals have been achieved or found to be unachievable. Although ransomware is an extremely fast way to get paid as a fraudster/hacker, if you are also able to first steal some information before you encrypt the device, you can essentially hack it twice.

“In this scenario, if the victim says, 'You know what? I have backup files' and refuses to pay for decryption, the hacker can threaten to leak it all. We hear of ransomware being used in sensitive environments like in hospitals, but so far there hasn’t been significant damage. However, if the malware had first exfiltrated patient information and then encrypted it, that could have been extremely damaging,” Vaystikh says.

Norman Guadagno, chief evangelist at Carbonite, said Ransomware as a service (RaaS) will continue to gain foothold. The RaaS business model is an extremely attractive one given the minimal effort and low cost needed to launch an attack. This doesn’t require highly-sophisticated technology, a knowledgeable IT expert or even a large bank account to get off the ground. All you need is a mailing list of potential targets and RaaS does the rest as a one-stop-shop for hacking resources.

"Given the success these hackers have seen so far – a $1 billion business in 2016 alone – there’s no doubt RaaS will continue to gain traction. Fortunately, just as the cloud enables RaaS, it also enables safe cloud backup to protect against attacks," he said.

Lucas Moody, CISO at Palo Alto Networks, says ransomware isn’t going away. Ever wonder what economic driver has led to the explosion of bitcoin ATMs into affluent neighborhoods in the U.S.? His hunch is it is correlated with the number of ransomware infections affecting small businesses. Ransomware in 2016 has been a significant problem, and current trends suggest that this problem will not slow down in 2017. Business resilience and recovery capabilities are the best defense to avoid frequent trips to your local bitcoin ATM, he says.

Vaystikh also forsees the first cloud data center-focused ransomware. In 2017, ransomware will target databases, causing significant downtime. There are not currently many hackers attacking corporate networks with ransomware; information-stealing malware is the preferred tool, he says.

“But what we might see in the coming year is ransomware targeting places where there is less chance of backup files being available. For example, I think we’ll see that SMBs who move their files to the cloud generally do not have backups and do not know how to recover. Specifically encrypting cloud-based data like this would have a significant impact on cloud providers and cloud infrastructures,” he says.